Description

Suspect File1(100) - 63 solves

Needed Tools

• gdb
• peda : gdb plugin available here (also check the Blackhat 2012 presentation of PEDA)

Walkthrough

After getting the challenge archive file available here, we first uncompress it with tar zxvf suspectfile1.tgz, which create a new file named 100.

Next we check what kind of file we are facing with a file 100:

We then run the binary to see what seems to happend

It’s clearly visible that this binary do not try to read user input after being launched. There must be some commandline parameter processing.

Let’s now try to have a look at it withing gdb : gdb ./100

Typing pdisass main display the disassembled version of the main function.

We can see that the main is quite long (more than 5000 instructions long)

At the end of this function, we can observe a function named “Sorry”. We can guess it is responsible for displaying the “bad boy” message (“Sorry”).

We set a breakpoint at this function start address to see the call stack :

break sorry

Then we run the program with some parameter : r some_parameter

The breakpoint is reached as we can see below

Not much to say, we are lucky enough to see the flag at $esp+4